Transak, a so-called "onramp" used by crypto platforms like Metamask, Binance and Trust Wallet allowing customers to buy cryptocurrencies, says the leak was limited to "names" and "basic identity information."
– The attack is being categorized as "mild or moderate" since it didn't involve social-security numbers or credit-card details.
– A ransomware group is making demands.
– The employee reportedly responsible for the breach has been "exited," Transak officials told CoinDesk.
A crypto-industry employee's use of a laptop for non-work purposes is reportedly at the heart of a data breach involving some 93,000 unique users – and now a ransomware group is attempting to negotiate with the company that was targeted.
Transak, an "onramp" used by a number of popular blockchain companies to allow customers to buy cryptocurrencies, disclosed in a blog post on Monday that it had fallen victim to a data breach. According to Transak, the leaked data was limited to "names" and "basic identity information."
In an interview with CoinDesk, Transak CEO Sami Start said that 93,000 people were impacted by the breach, which included passports, ID cards and selfies used by customers to verify their identities with crypto financial products.
The team is categorizing the incident as "mild or moderate," Start said, since it did not involve more sensitive information that might bring greater risk. Additionally, according to the company, only 1.14% of the user base was affected.
"There's no bank statements, there's no social security numbers, there's no credit card information, there's not even any emails or passwords that were accessed, which limits the severity of this incident significantly," he said.
Ransomware group claims responsibility
The CEO said Transak was reaching out to customers and had notified law enforcement as well as data regulators.
But the company is also in the position of being asked to negotiate for mitigation measures with a ransomware group that claimed responsibility for the attack, who has already ridiculed a purported $30,000 offer to delete the stolen data.
The ransomware group says the data came from a larger subset of Transak's customers and did include some financial data.
"This breach has impacted all KYC [know your customer] DATA processed through Transak's infrastructure," the ransomware group claimed in a public Telegram group that it operates. "We have extracted more than 300GB of data, which includes sensitive personal documents such as government-issued IDs, proof of address, financial statements, and user selfies."
The ransomware group claims it has only released a subset of the stolen data it has on hand. If Transak fails to pay a ransom, the group threatened to "leak the remaining data or sell it to the highest bidder."
Popular onramp
Transak provides developers with tools to bridge users from fiat to crypto, such as by allowing them to purchase cryptocurrencies via credit card. According to its website, Transak has been integrated into major blockchain wallets like Metamask and Trust Wallet, among others. Crypto exchanges like Coinbase and Binance.US also use Transak's services.
Start told CoinDesk that Transak is not interested in negotiating with the ransomware group.
"We don't know if they necessarily did this or if they're just claiming credit for it," said Start. "They've released this evidence where they've shown some screenshots from our KYC vendor, but it's possible that someone else posted that somewhere else and they've just taken credit for it."
According to Start, the data breach occurred because an employee "used their laptop for things other than work."
"They've been exited from the company," said the Transak CEO. "They did some non-work related activities on their laptop that caused them to run a script – a malicious script – that gave access to their system."
The access enabled hackers to gain access to one of Transak's third-party user authentication, or KYC (know-your-customer), services. According to Start, this particular vendor had a "vulnerability" in its system, which enabled the attacker to download a subset of Transak's user data via the compromised device.
In his interview with CoinDesk, Start insisted that the data breach was limited exclusively to this KYC service.
"Any rumors about accessing any other systems are not true," Start said. The attackers "may have gotten some screenshots that were in the employee's download folder – maybe one or two screenshots of some other system – but they only accessed this one vendor, and they only accessed the users that I mentioned. I challenge anyone to show otherwise."